NGINX Configuration for Multiple Certificates
NGINX typically supports two scenarios for configuring multiple certificates: Providing multiple certificate types (e.g., RSA and ECC) for the same domain. Hosting multiple domains on the same IP address, using different certificates selected based on the client-provided SNI. Generating Certificates Use the ssl_cert_chain_tool.sh script to generate a set of valid certificates: 1 2 3 4 5 6 7 8 # RSA Certificates ssl_cert_chain_tool.sh -a RSA -o a_cert -n a.example.com -u ssl_cert_chain_tool.sh -a RSA -o b_cert -n b.example.com -u ssl_cert_chain_tool.sh -a RSA -o c_cert -n c.example.com -u # ECC Certificates ssl_cert_chain_tool.sh -a ECC -o d_cert -n d.example.com -u ssl_cert_chain_tool.sh -a ECC -o e_cert -n e.example.com -u Support for Multiple Certificate Types 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 0.0.0.0:443 ssl; ssl_protocols TLSv1.3 TLSv1.2; server_name a.example.com b.example.com c.example.com d.example.com e.example.com; ssl_prefer_server_ciphers on; # RSA and ECC Certificates ssl_certificate a_cert/server.cert.pem; ssl_certificate_key a_cert/server.key.pem; ssl_certificate e_cert/server.cert.pem; ssl_certificate_key e_cert/server.key.pem; ssl_certificate d_cert/server.cert.pem; ssl_certificate_key d_cert/server.key.pem; ssl_certificate c_cert/server.cert.pem; ssl_certificate_key c_cert/server.key.pem; ssl_certificate b_cert/server.cert.pem; ssl_certificate_key b_cert/server.key.pem; location / { return 200 'Multi-certificates test\n'; } } } During the handshake process, the server selects the appropriate certificate based on the signature algorithm. OpenSSL handles this in the tls_post_process_client_hello->tls_choose_sigalg function, which processes the client hello message and selects the most suitable certificate based on the signature algorithms and the server’s configuration. ...